SlideShare une entreprise Scribd logo

Building a moat bastion server

N
nseemiller
1  sur  14
Télécharger pour lire hors ligne
Building a Moat
actually, a bastion server
What does it do? Provides a secure, single point of entry to your application servers
Why do you care?
What’s it look like? Service Requests SSH
Bastion System Setup wget ruby* MySQL* curl postgresql* xorg* nginx net-snmp-libs jasper-libs Uninstall telnet everything! php* automake *X11 monit gcc DNS Name Server Mail Server ftp neon *devel* finger fetchmail net-snmp-libs
Bastion System Setup install netcat
Bastion System Setup update everything that remains! sudo yum upgrade
Bastion SSH Config Change Port from 22 Port 2222 Disable password logins/auth PasswordAuthentication no Disable PAM UsePAM no
Bastion IPTABLES DENY!!!!! /etc/sysconfig/iptables ... *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [237:32957] -A INPUT -i lo -j ACCEPT -A INPUT -m state --state ESTABLISHED -j ACCEPT -A INPUT -m state --state INVALID -j DROP -A INPUT -p icmp -j ACCEPT -A INPUT -p tcp -m tcp --dport 2222 -j ACCEPT COMMIT
Bastion User Create a secure user group sudo /usr/sbin/groupadd moat Create a “keymaster” Generate and upload an SSH key
Other Users Generate ssh-keys, use passphrases! sudo /usr/sbin/useradd -G moat -m new_user sudo mkdir -p /home/new_user/.ssh sudo mv ~/.new_user_ssh.pub /home/new_user/.ssh/authorized_keys sudo chmod -R 700 /home/new_user/.ssh sudo chown -R new_user:new_user /home/new_user/.ssh echo Any_r@nd0m_p@55w04D | sudo passwd new_user --stdin
Protected Server Iptables ... *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] ... -A INPUT -s <moat’s IP address> -p tcp -m tcp --dport 22 -j ACCEPT # HTTP and HTTPS -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT COMMIT
SSH Proxy through moat to access remote machines Host app001 Hostname app-001.blackboxservers.com User app_user ProxyCommand ssh -q -p 2222 $MOAT_USER@moat-001.blackboxservers.com nc %h 22 To SSH, just export your name and go! $> export MOAT_USER=george $> ssh app001 george@app-001.blackboxservers.com's password:

Recommandé

Linux Server Start
Linux Server StartLinux Server Start
Linux Server StartGavin Quan
 
Configuration of BIND DNS Server On CentOS 8
Configuration of BIND DNS Server On CentOS 8Configuration of BIND DNS Server On CentOS 8
Configuration of BIND DNS Server On CentOS 8Kaan Aslandağ
 
Configuration Firewalld On CentOS 8
Configuration Firewalld On CentOS 8Configuration Firewalld On CentOS 8
Configuration Firewalld On CentOS 8Kaan Aslandağ
 
Sistemas operacionais 8
Sistemas operacionais 8Sistemas operacionais 8
Sistemas operacionais 8Nauber Gois
 
Presentation Linux Server setup Advance Networking
Presentation Linux Server setup Advance NetworkingPresentation Linux Server setup Advance Networking
Presentation Linux Server setup Advance NetworkingTariqul Islam Shohag
 
CentOS Server Gui Initial Configuration
CentOS Server Gui Initial ConfigurationCentOS Server Gui Initial Configuration
CentOS Server Gui Initial ConfigurationKaan Aslandağ
 
Firewalld LAB
Firewalld LABFirewalld LAB
Firewalld LABKaan Aslandağ
 
Ftp configuration in rhel7
Ftp configuration in rhel7Ftp configuration in rhel7
Ftp configuration in rhel7Balamurugan M
 

Recommandé

Linux Server Start
Linux Server StartLinux Server Start
Linux Server StartGavin Quan
 
Configuration of BIND DNS Server On CentOS 8
Configuration of BIND DNS Server On CentOS 8Configuration of BIND DNS Server On CentOS 8
Configuration of BIND DNS Server On CentOS 8Kaan Aslandağ
 
Configuration Firewalld On CentOS 8
Configuration Firewalld On CentOS 8Configuration Firewalld On CentOS 8
Configuration Firewalld On CentOS 8Kaan Aslandağ
 
Sistemas operacionais 8
Sistemas operacionais 8Sistemas operacionais 8
Sistemas operacionais 8Nauber Gois
 
Presentation Linux Server setup Advance Networking
Presentation Linux Server setup Advance NetworkingPresentation Linux Server setup Advance Networking
Presentation Linux Server setup Advance NetworkingTariqul Islam Shohag
 
CentOS Server Gui Initial Configuration
CentOS Server Gui Initial ConfigurationCentOS Server Gui Initial Configuration
CentOS Server Gui Initial ConfigurationKaan Aslandağ
 
Firewalld LAB
Firewalld LABFirewalld LAB
Firewalld LABKaan Aslandağ
 
Ftp configuration in rhel7
Ftp configuration in rhel7Ftp configuration in rhel7
Ftp configuration in rhel7Balamurugan M
 
Configuration of NTP Server on CentOS 8
Configuration of NTP Server on CentOS 8Configuration of NTP Server on CentOS 8
Configuration of NTP Server on CentOS 8Kaan Aslandağ
 
Quick Start Guide using Virtuozzo 7 (β) on AWS EC2
Quick Start Guide using Virtuozzo 7 (β) on AWS EC2Quick Start Guide using Virtuozzo 7 (β) on AWS EC2
Quick Start Guide using Virtuozzo 7 (β) on AWS EC2Kentaro Ebisawa
 
OpenVPN
OpenVPNOpenVPN
OpenVPNEmil CHERICHEȘ
 
DevOps Braga #6
DevOps Braga #6DevOps Braga #6
DevOps Braga #6DevOps Braga
 
RHCSA
RHCSARHCSA
RHCSAŁukasz Jarzyński
 
Configuration of Smtp Server On CentOS 8
Configuration of Smtp Server On CentOS 8Configuration of Smtp Server On CentOS 8
Configuration of Smtp Server On CentOS 8Kaan Aslandağ
 
Configuration of SFTP Server on CentOS 8.pdf
Configuration of SFTP Server on CentOS 8.pdfConfiguration of SFTP Server on CentOS 8.pdf
Configuration of SFTP Server on CentOS 8.pdfKaan Aslandağ
 
Cloud Compt
Cloud ComptCloud Compt
Cloud ComptKanchilug
 
Puppet
PuppetPuppet
PuppetŁukasz Jagiełło
 
CentOS Server CLI Configuration (Nmcli & Hosts)
CentOS Server CLI Configuration (Nmcli & Hosts)CentOS Server CLI Configuration (Nmcli & Hosts)
CentOS Server CLI Configuration (Nmcli & Hosts)Kaan Aslandağ
 
Introduction to Docker
Introduction to DockerIntroduction to Docker
Introduction to DockerKevin Littlejohn
 
Docker 1.11 Meetup: Containerd and runc, by Arnaud Porterie and Michael Crosby
Docker 1.11 Meetup: Containerd and runc, by Arnaud Porterie and Michael Crosby Docker 1.11 Meetup: Containerd and runc, by Arnaud Porterie and Michael Crosby
Docker 1.11 Meetup: Containerd and runc, by Arnaud Porterie and Michael Crosby Michelle Antebi
 
nouka inventry manager
nouka inventry managernouka inventry manager
nouka inventry managerToshiaki Baba
 
SELF 2014: PBI v10: Application Management Made Easy
SELF 2014: PBI v10: Application Management Made EasySELF 2014: PBI v10: Application Management Made Easy
SELF 2014: PBI v10: Application Management Made EasyKen Moore
 
От sysV к systemd
От sysV к systemdОт sysV к systemd
От sysV к systemdDenis Kovalev
 
Openvpn
OpenvpnOpenvpn
Openvpnmato2012
 
Linux Kernel Parameter Tuning
Linux Kernel Parameter TuningLinux Kernel Parameter Tuning
Linux Kernel Parameter TuningRyo Sasaki
 
Introduction to FreeNAS development by John Hixson
Introduction to FreeNAS development by John HixsonIntroduction to FreeNAS development by John Hixson
Introduction to FreeNAS development by John HixsoniXsystems
 
Nginx
NginxNginx
NginxShaopeng He
 
Glomosim
GlomosimGlomosim
Glomosimbarodia_1437
 
Sten
StenSten
Stenyhiskond1
 
Totalitaarsete riikide kunst. elin lepik. 12b
Totalitaarsete riikide kunst. elin lepik. 12bTotalitaarsete riikide kunst. elin lepik. 12b
Totalitaarsete riikide kunst. elin lepik. 12bjpg12b
 

Contenu connexe

Tendances

Configuration of NTP Server on CentOS 8
Configuration of NTP Server on CentOS 8Configuration of NTP Server on CentOS 8
Configuration of NTP Server on CentOS 8Kaan Aslandağ
 
Quick Start Guide using Virtuozzo 7 (β) on AWS EC2
Quick Start Guide using Virtuozzo 7 (β) on AWS EC2Quick Start Guide using Virtuozzo 7 (β) on AWS EC2
Quick Start Guide using Virtuozzo 7 (β) on AWS EC2Kentaro Ebisawa
 
Configuration of Smtp Server On CentOS 8
Configuration of Smtp Server On CentOS 8Configuration of Smtp Server On CentOS 8
Configuration of Smtp Server On CentOS 8Kaan Aslandağ
 
Configuration of SFTP Server on CentOS 8.pdf
Configuration of SFTP Server on CentOS 8.pdfConfiguration of SFTP Server on CentOS 8.pdf
Configuration of SFTP Server on CentOS 8.pdfKaan Aslandağ
 
CentOS Server CLI Configuration (Nmcli & Hosts)
CentOS Server CLI Configuration (Nmcli & Hosts)CentOS Server CLI Configuration (Nmcli & Hosts)
CentOS Server CLI Configuration (Nmcli & Hosts)Kaan Aslandağ
 
Docker 1.11 Meetup: Containerd and runc, by Arnaud Porterie and Michael Crosby
Docker 1.11 Meetup: Containerd and runc, by Arnaud Porterie and Michael Crosby Docker 1.11 Meetup: Containerd and runc, by Arnaud Porterie and Michael Crosby
Docker 1.11 Meetup: Containerd and runc, by Arnaud Porterie and Michael Crosby Michelle Antebi
 
nouka inventry manager
nouka inventry managernouka inventry manager
nouka inventry managerToshiaki Baba
 
SELF 2014: PBI v10: Application Management Made Easy
SELF 2014: PBI v10: Application Management Made EasySELF 2014: PBI v10: Application Management Made Easy
SELF 2014: PBI v10: Application Management Made EasyKen Moore
 
От sysV к systemd
От sysV к systemdОт sysV к systemd
От sysV к systemdDenis Kovalev
 
Linux Kernel Parameter Tuning
Linux Kernel Parameter TuningLinux Kernel Parameter Tuning
Linux Kernel Parameter TuningRyo Sasaki
 
Introduction to FreeNAS development by John Hixson
Introduction to FreeNAS development by John HixsonIntroduction to FreeNAS development by John Hixson
Introduction to FreeNAS development by John HixsoniXsystems
 

Tendances (20)

Configuration of NTP Server on CentOS 8
Configuration of NTP Server on CentOS 8Configuration of NTP Server on CentOS 8
Configuration of NTP Server on CentOS 8
 
Quick Start Guide using Virtuozzo 7 (β) on AWS EC2
Quick Start Guide using Virtuozzo 7 (β) on AWS EC2Quick Start Guide using Virtuozzo 7 (β) on AWS EC2
Quick Start Guide using Virtuozzo 7 (β) on AWS EC2
 
OpenVPN
OpenVPNOpenVPN
OpenVPN
 
DevOps Braga #6
DevOps Braga #6DevOps Braga #6
DevOps Braga #6
 
RHCSA
RHCSARHCSA
RHCSA
 
Configuration of Smtp Server On CentOS 8
Configuration of Smtp Server On CentOS 8Configuration of Smtp Server On CentOS 8
Configuration of Smtp Server On CentOS 8
 
Configuration of SFTP Server on CentOS 8.pdf
Configuration of SFTP Server on CentOS 8.pdfConfiguration of SFTP Server on CentOS 8.pdf
Configuration of SFTP Server on CentOS 8.pdf
 
Cloud Compt
Cloud ComptCloud Compt
Cloud Compt
 
Puppet
PuppetPuppet
Puppet
 
CentOS Server CLI Configuration (Nmcli & Hosts)
CentOS Server CLI Configuration (Nmcli & Hosts)CentOS Server CLI Configuration (Nmcli & Hosts)
CentOS Server CLI Configuration (Nmcli & Hosts)
 
Introduction to Docker
Introduction to DockerIntroduction to Docker
Introduction to Docker
 
Docker 1.11 Meetup: Containerd and runc, by Arnaud Porterie and Michael Crosby
Docker 1.11 Meetup: Containerd and runc, by Arnaud Porterie and Michael Crosby Docker 1.11 Meetup: Containerd and runc, by Arnaud Porterie and Michael Crosby
Docker 1.11 Meetup: Containerd and runc, by Arnaud Porterie and Michael Crosby
 
nouka inventry manager
nouka inventry managernouka inventry manager
nouka inventry manager
 
SELF 2014: PBI v10: Application Management Made Easy
SELF 2014: PBI v10: Application Management Made EasySELF 2014: PBI v10: Application Management Made Easy
SELF 2014: PBI v10: Application Management Made Easy
 
От sysV к systemd
От sysV к systemdОт sysV к systemd
От sysV к systemd
 
Openvpn
OpenvpnOpenvpn
Openvpn
 
Linux Kernel Parameter Tuning
Linux Kernel Parameter TuningLinux Kernel Parameter Tuning
Linux Kernel Parameter Tuning
 
Introduction to FreeNAS development by John Hixson
Introduction to FreeNAS development by John HixsonIntroduction to FreeNAS development by John Hixson
Introduction to FreeNAS development by John Hixson
 
Nginx
NginxNginx
Nginx
 
Glomosim
GlomosimGlomosim
Glomosim
 

En vedette

Totalitaarsete riikide kunst. elin lepik. 12b
Totalitaarsete riikide kunst. elin lepik. 12bTotalitaarsete riikide kunst. elin lepik. 12b
Totalitaarsete riikide kunst. elin lepik. 12bjpg12b
 
Muutused igapäevaelus varauusajal
Muutused igapäevaelus varauusajalMuutused igapäevaelus varauusajal
Muutused igapäevaelus varauusajalMihhail Sorokin
 
The Seven Wonders Of The Ancient Worls
The Seven Wonders Of The Ancient WorlsThe Seven Wonders Of The Ancient Worls
The Seven Wonders Of The Ancient WorlsAndre Kaasik
 
Euroopa riigid
Euroopa riigidEuroopa riigid
Euroopa riigidjaanikapr
 
Uusaeg1 - varauusaeg konspekt
Uusaeg1 - varauusaeg konspektUusaeg1 - varauusaeg konspekt
Uusaeg1 - varauusaeg konspektkristel84
 
Musket age of warfare 2010
Musket age of warfare 2010Musket age of warfare 2010
Musket age of warfare 2010Mr.J
 
Industrial age1850 1900 spring 2011
Industrial age1850 1900 spring 2011Industrial age1850 1900 spring 2011
Industrial age1850 1900 spring 2011Mr.J
 
10 ptk sojandus uusajal
10 ptk sojandus uusajal10 ptk sojandus uusajal
10 ptk sojandus uusajalMärt Männik
 
Valgustus, Prantsuse revolutsioon, Napoleon gümnaasiumile
Valgustus, Prantsuse revolutsioon, Napoleon gümnaasiumileValgustus, Prantsuse revolutsioon, Napoleon gümnaasiumile
Valgustus, Prantsuse revolutsioon, Napoleon gümnaasiumileDagmar Seljamäe
 
The musket age
The musket ageThe musket age
The musket ageMr.J
 
Euroopa riigid ja rahvad. Absolutism.
Euroopa riigid ja rahvad. Absolutism.Euroopa riigid ja rahvad. Absolutism.
Euroopa riigid ja rahvad. Absolutism.Natalja Dovgan
 
Natsionaalsotsialistlik Saksamaa
Natsionaalsotsialistlik SaksamaaNatsionaalsotsialistlik Saksamaa
Natsionaalsotsialistlik SaksamaaSander Saks
 
Inglise kodusõda 1642 1660
Inglise kodusõda 1642 1660Inglise kodusõda 1642 1660
Inglise kodusõda 1642 1660Katri Silla
 
Natsionaalsotsialistlik Saksamaa
Natsionaalsotsialistlik SaksamaaNatsionaalsotsialistlik Saksamaa
Natsionaalsotsialistlik SaksamaaInga Zemit
 

En vedette (19)

Sten
StenSten
Sten
 
Totalitaarsete riikide kunst. elin lepik. 12b
Totalitaarsete riikide kunst. elin lepik. 12bTotalitaarsete riikide kunst. elin lepik. 12b
Totalitaarsete riikide kunst. elin lepik. 12b
 
Muutused igapäevaelus varauusajal
Muutused igapäevaelus varauusajalMuutused igapäevaelus varauusajal
Muutused igapäevaelus varauusajal
 
Organizac..
Organizac..Organizac..
Organizac..
 
The Seven Wonders Of The Ancient Worls
The Seven Wonders Of The Ancient WorlsThe Seven Wonders Of The Ancient Worls
The Seven Wonders Of The Ancient Worls
 
Euroopa riigid
Euroopa riigidEuroopa riigid
Euroopa riigid
 
Uusaeg1 - varauusaeg konspekt
Uusaeg1 - varauusaeg konspektUusaeg1 - varauusaeg konspekt
Uusaeg1 - varauusaeg konspekt
 
Musket age of warfare 2010
Musket age of warfare 2010Musket age of warfare 2010
Musket age of warfare 2010
 
Industrial age1850 1900 spring 2011
Industrial age1850 1900 spring 2011Industrial age1850 1900 spring 2011
Industrial age1850 1900 spring 2011
 
10 ptk sojandus uusajal
10 ptk sojandus uusajal10 ptk sojandus uusajal
10 ptk sojandus uusajal
 
Valgustus, Prantsuse revolutsioon, Napoleon gümnaasiumile
Valgustus, Prantsuse revolutsioon, Napoleon gümnaasiumileValgustus, Prantsuse revolutsioon, Napoleon gümnaasiumile
Valgustus, Prantsuse revolutsioon, Napoleon gümnaasiumile
 
The musket age
The musket ageThe musket age
The musket age
 
Euroopa riigid ja rahvad. Absolutism.
Euroopa riigid ja rahvad. Absolutism.Euroopa riigid ja rahvad. Absolutism.
Euroopa riigid ja rahvad. Absolutism.
 
Natsionaalsotsialistlik Saksamaa
Natsionaalsotsialistlik SaksamaaNatsionaalsotsialistlik Saksamaa
Natsionaalsotsialistlik Saksamaa
 
Inglise kodusõda 1642 1660
Inglise kodusõda 1642 1660Inglise kodusõda 1642 1660
Inglise kodusõda 1642 1660
 
Natsionaalsotsialistlik Saksamaa
Natsionaalsotsialistlik SaksamaaNatsionaalsotsialistlik Saksamaa
Natsionaalsotsialistlik Saksamaa
 
Talupoeg ja maaisand
Talupoeg ja maaisandTalupoeg ja maaisand
Talupoeg ja maaisand
 
Slidashare
SlidashareSlidashare
Slidashare
 
Vana-Egiptus
Vana-EgiptusVana-Egiptus
Vana-Egiptus
 

Similaire à Building a moat bastion server

Tested install-isp config3-ubuntu-16-04
Tested install-isp config3-ubuntu-16-04Tested install-isp config3-ubuntu-16-04
Tested install-isp config3-ubuntu-16-04SANTIAGO HERNÁNDEZ
 
Provisioning on Libvirt with Foreman
Provisioning on Libvirt with ForemanProvisioning on Libvirt with Foreman
Provisioning on Libvirt with ForemanNikhil Kathole
 
Razor, the Provisioning Toolbox - PuppetConf 2014
Razor, the Provisioning Toolbox - PuppetConf 2014Razor, the Provisioning Toolbox - PuppetConf 2014
Razor, the Provisioning Toolbox - PuppetConf 2014Puppet
 
Vagrant, Ansible, and OpenStack on your laptop
Vagrant, Ansible, and OpenStack on your laptopVagrant, Ansible, and OpenStack on your laptop
Vagrant, Ansible, and OpenStack on your laptopLorin Hochstein
 
How to turn any dynamic website into a static site | 24.01.2018 | Artem Danil...
How to turn any dynamic website into a static site | 24.01.2018 | Artem Danil...How to turn any dynamic website into a static site | 24.01.2018 | Artem Danil...
How to turn any dynamic website into a static site | 24.01.2018 | Artem Danil...LumoSpark
 
Cobbler, Func and Puppet: Tools for Large Scale Environments
Cobbler, Func and Puppet: Tools for Large Scale EnvironmentsCobbler, Func and Puppet: Tools for Large Scale Environments
Cobbler, Func and Puppet: Tools for Large Scale EnvironmentsMichael Zhang
 
Implementation of DNS Anycast - a case study
Implementation of DNS Anycast - a case studyImplementation of DNS Anycast - a case study
Implementation of DNS Anycast - a case studyA. S. M. Shamim Reza
 
Automação do físico ao NetSecDevOps
Automação do físico ao NetSecDevOpsAutomação do físico ao NetSecDevOps
Automação do físico ao NetSecDevOpsRaul Leite
 
Linux Containers From Scratch
Linux Containers From ScratchLinux Containers From Scratch
Linux Containers From Scratchjoshuasoundcloud
 
Instalando Cacti no CentOS 5
Instalando Cacti no CentOS 5Instalando Cacti no CentOS 5
Instalando Cacti no CentOS 5Carlos Eduardo
 
Component pack 6006 install guide
Component pack 6006 install guideComponent pack 6006 install guide
Component pack 6006 install guideRoberto Boccadoro
 
Linux sever building
Linux sever buildingLinux sever building
Linux sever buildingEdmond Yu
 
OSDC 2014: Jan-Piet Mens - Configuration Management with Ansible
OSDC 2014: Jan-Piet Mens - Configuration Management with Ansible OSDC 2014: Jan-Piet Mens - Configuration Management with Ansible
OSDC 2014: Jan-Piet Mens - Configuration Management with Ansible NETWAYS
 
Using Service Oriented Operation and Provisioning at Financial Times
Using Service Oriented Operation and Provisioning at Financial TimesUsing Service Oriented Operation and Provisioning at Financial Times
Using Service Oriented Operation and Provisioning at Financial TimesEmeka Mosanya
 

Similaire à Building a moat bastion server (20)

Tested install-isp config3-ubuntu-16-04
Tested install-isp config3-ubuntu-16-04Tested install-isp config3-ubuntu-16-04
Tested install-isp config3-ubuntu-16-04
 
Nginx2
Nginx2Nginx2
Nginx2
 
Provisioning on Libvirt with Foreman
Provisioning on Libvirt with ForemanProvisioning on Libvirt with Foreman
Provisioning on Libvirt with Foreman
 
Genode Compositions
Genode CompositionsGenode Compositions
Genode Compositions
 
Razor, the Provisioning Toolbox - PuppetConf 2014
Razor, the Provisioning Toolbox - PuppetConf 2014Razor, the Provisioning Toolbox - PuppetConf 2014
Razor, the Provisioning Toolbox - PuppetConf 2014
 
Vagrant, Ansible, and OpenStack on your laptop
Vagrant, Ansible, and OpenStack on your laptopVagrant, Ansible, and OpenStack on your laptop
Vagrant, Ansible, and OpenStack on your laptop
 
How to turn any dynamic website into a static site | 24.01.2018 | Artem Danil...
How to turn any dynamic website into a static site | 24.01.2018 | Artem Danil...How to turn any dynamic website into a static site | 24.01.2018 | Artem Danil...
How to turn any dynamic website into a static site | 24.01.2018 | Artem Danil...
 
LSA2 - 02 Namespaces
LSA2 - 02 NamespacesLSA2 - 02 Namespaces
LSA2 - 02 Namespaces
 
Cobbler, Func and Puppet: Tools for Large Scale Environments
Cobbler, Func and Puppet: Tools for Large Scale EnvironmentsCobbler, Func and Puppet: Tools for Large Scale Environments
Cobbler, Func and Puppet: Tools for Large Scale Environments
 
Cobbler, Func and Puppet: Tools for Large Scale Environments
Cobbler, Func and Puppet: Tools for Large Scale EnvironmentsCobbler, Func and Puppet: Tools for Large Scale Environments
Cobbler, Func and Puppet: Tools for Large Scale Environments
 
Kickstart
KickstartKickstart
Kickstart
 
Implementation of DNS Anycast - a case study
Implementation of DNS Anycast - a case studyImplementation of DNS Anycast - a case study
Implementation of DNS Anycast - a case study
 
Automação do físico ao NetSecDevOps
Automação do físico ao NetSecDevOpsAutomação do físico ao NetSecDevOps
Automação do físico ao NetSecDevOps
 
Linux Containers From Scratch
Linux Containers From ScratchLinux Containers From Scratch
Linux Containers From Scratch
 
Instalando Cacti no CentOS 5
Instalando Cacti no CentOS 5Instalando Cacti no CentOS 5
Instalando Cacti no CentOS 5
 
Component pack 6006 install guide
Component pack 6006 install guideComponent pack 6006 install guide
Component pack 6006 install guide
 
Linux sever building
Linux sever buildingLinux sever building
Linux sever building
 
OSDC 2014: Jan-Piet Mens - Configuration Management with Ansible
OSDC 2014: Jan-Piet Mens - Configuration Management with Ansible OSDC 2014: Jan-Piet Mens - Configuration Management with Ansible
OSDC 2014: Jan-Piet Mens - Configuration Management with Ansible
 
Puppetconf2012
Puppetconf2012Puppetconf2012
Puppetconf2012
 
Using Service Oriented Operation and Provisioning at Financial Times
Using Service Oriented Operation and Provisioning at Financial TimesUsing Service Oriented Operation and Provisioning at Financial Times
Using Service Oriented Operation and Provisioning at Financial Times
 

Building a moat bastion server

  • 3. What does it do? Provides a secure, single point of entry to your application servers
  • 4. Why do you care?
  • 5. What’s it look like? Service Requests SSH
  • 6. Bastion System Setup wget ruby* MySQL* curl postgresql* xorg* nginx net-snmp-libs jasper-libs Uninstall telnet everything! php* automake *X11 monit gcc DNS Name Server Mail Server ftp neon *devel* finger fetchmail net-snmp-libs
  • 7. Bastion System Setup install netcat
  • 8. Bastion System Setup update everything that remains! sudo yum upgrade
  • 9. Bastion SSH Config Change Port from 22 Port 2222 Disable password logins/auth PasswordAuthentication no Disable PAM UsePAM no
  • 10. Bastion IPTABLES DENY!!!!! /etc/sysconfig/iptables ... *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [237:32957] -A INPUT -i lo -j ACCEPT -A INPUT -m state --state ESTABLISHED -j ACCEPT -A INPUT -m state --state INVALID -j DROP -A INPUT -p icmp -j ACCEPT -A INPUT -p tcp -m tcp --dport 2222 -j ACCEPT COMMIT
  • 11. Bastion User Create a secure user group sudo /usr/sbin/groupadd moat Create a “keymaster” Generate and upload an SSH key
  • 12. Other Users Generate ssh-keys, use passphrases! sudo /usr/sbin/useradd -G moat -m new_user sudo mkdir -p /home/new_user/.ssh sudo mv ~/.new_user_ssh.pub /home/new_user/.ssh/authorized_keys sudo chmod -R 700 /home/new_user/.ssh sudo chown -R new_user:new_user /home/new_user/.ssh echo Any_r@nd0m_p@55w04D | sudo passwd new_user --stdin
  • 13. Protected Server Iptables ... *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] ... -A INPUT -s <moat’s IP address> -p tcp -m tcp --dport 22 -j ACCEPT # HTTP and HTTPS -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT COMMIT
  • 14. SSH Proxy through moat to access remote machines Host app001 Hostname app-001.blackboxservers.com User app_user ProxyCommand ssh -q -p 2222 $MOAT_USER@moat-001.blackboxservers.com nc %h 22 To SSH, just export your name and go! $> export MOAT_USER=george $> ssh app001 george@app-001.blackboxservers.com's password: